79 Server Security Tips for You to Secure Your Server

Server Security Tips

Here are 79 server security tips to help you improve your web server security. I start with passwords. You would be surprised at the number of cases we handle that boil down to bad passwords. Web application security can also be improved with some simple steps, and it is time everyone stop using insecure communication protocols.

Check out the list and send in your server security tips to get up to 100.

Password Security

Use passwords with at least 8 characters.

Use complex passwords that include numbers, symbols, and punctuation.

Use a variety of passwords for different accounts or roles.

Test passwords in a secure password tool.

Do not use dictionary words as passwords, e.g. myblackdog

Do not repeat sequences of characters, e.g. 3333, abcdabcd.

Do not use personal information in passwords, e.g. your birthdate.

Do not store passwords on laptops, smartphones or tablets that can be lost.

Use a password manager to securely keep track of your passwords (See our post on LastPass).

Setup two-factor authentication when available.

Use a secure password generator.

Secure Communications

Use Secure FTP instead of plain FTP.

Use SSH instead of telnet.

Use Secure Email Connections (POP3S/IMAPS/SMTPS)

Secure all web administration areas with SSL (HTTPS).

Secure your web forms with SSL (HTTPS).

Use VPN when available.

Use firewalls on all endpoints, including servers and desktops.

Use residential/office firewall/IPS systems.

Encrypt highly sensitive emails.

Do not use public computers to access sensitive information.

Web Application Security

Sign up for notices about web application updates.

Update your web applications promptly.

Scan web applications using remote security tools such as Nessus.

Use a web application firewall.

Test file upload fields to assure code cannot be uploaded.

Have custom code reviewed for security issues.

Use coding frameworks with good security history.

Do not rely solely on obscure directory/file names for security.

Secure web application admin areas with IP based restrictions.

Sanitize user input.

Put sensitive files outside of document root or restrict access.

Avoiding using shell commands within scripts.

Don’t trust HTTP referer fields as they are easily forged.

Use POST instead of GET to submit data so sensitive information is not in the URL.

Validate data server-side not client-side.

Do not rely on relative file and path names. Always set base directories.